Terminology

SOC, or Security Operations Center, is a central location composed of leading edge tools, technology and peeps (intel gatherers, analysts) that deals with security issues at an organisational and technical level.

IDS, or Intrusion Detection System, is a device that monitors network traffic for threats to the environment, proactively alert the SOC analyst of potential problems.

IPS, or an Intrusion Prevention System, is more sits inline, and can take active or passive mitigation actions.

SIEM, or Security Information and Event Management, is all about the collection and aggregation of alerts and logs for event tracking, retention and correlation from multiple hosts.

Left over 13-bits are the fragment offset, points to where in the datagram this fragment belongs

TTL (1-byte) defines the maximum time (in seconds) the datagram is allowed to remain. A TTL of 0x40 is 64 seconds.

Protocol (1-byte) is the protocol of the data that is being encapsulated as an IP datagram. Protocol here is 0x11 or 17 decimal, which translates to UDP. Refer to the Internet Protocol Numbers section in RFC790 for more.

Tools

pcap (packet capture) is the defacto API and output format (application/vnd.tcpdump.pcap) for dealing with packets at the link layer and above. UNIX systems implement libpcap and other OS’s have ports.

Wireshark (and tshark)

Wireshark (and it’s CLI tshark) is a graphical analyser, and provides a very intuitive visual experience for filtering and breaking down segments.

Filtering abilities are strong.

To exclude udp datagrams coming in, or leaving on port 53 (DNS):

!(udp.dstport == 53 || udp.srcport == 53)

To only include ARP packets:

arp

tcpdump

tcpdump born in 1988, typically ships with most UNIX systems. WinDump is a Windows port.